About Invoke-Transfer

With the help of this tool, we can use the clipboard function to transfer files or data in extremely restricted environments, such as Citrix, RDP, VNC, Guacamole, and others.

As long as we can send text through the clipboard, we can send files in text format (via small Base64 encoded data blocks). In addition, we can even use the native OCR functionality of Windows and take a screenshot to send files.

Tool Requirements

1. PowerShell 5.1;

2. Windows 10 or higher version operating system;

Tool Download

Researchers can directly run the following command to clone the source code of this project locally:

git clone https://github.com/JoelGMSec/Invoke-Transfer

Tool Usage Help

.\Invoke-Transfer.ps1 -h

 

___                 _   _____                     __

|_ _|_ __ _   __ __ | | __ __   |_   _| __ __ _ _ __  ___ / _| ___ _ __

| || '_ \ \ / / _ \| |/ / _ \____| || '__/ _' | '_ \/ __| |_ / _ \ '__|

| || | | \ V / (_) |   <  \__/____| || | | (_| | | | \__ \  _|  \__/ |

|___|_| |_|\_/ \___/|_|\_\___|   |_||_|  \__,_|_| |_|___/_|  \___|_|

 

----------------------- by @JoelGMSec & @3v4Si0N ---------------------

 

 

Info: This tool helps you to send files in highly restricted environments

such as Citrix, RDP, VNC, Guacamole... using the clipboard function

 

Usage: .\Invoke-Transfer.ps1 -split {FILE} -sec {SECONDS}

Send 120KB data blocks,Set the time delay to seconds

Add the -guaca option to send files via Apache Guacamole

 

.\Invoke-Transfer.ps1 -merge {B64FILE} -out {FILE}

Merge the Base64 file into the original file at the target path

 

.\Invoke-Transfer.ps1 -read {IMGFILE} -out {FILE}

Use Windows OCR to read the screenshot and save the output to a file

 

Warning: This tool is only applicable to Windows 10 or higher versions

OCR reading may not be completely accurate

Tool usage example

From the tool's help information, it can be seen that the tool is very easy to use:

–If we want to send a file, we can use the -split parameter;

–If we want to use base64 encoding, we can use the -merge parameter;

–If we want to read text from the screen, we can use the -read parameter;

In the following example, we will send a binary file (sharphound.exe) using the first option. In addition, we will use the following command to add a 2-second delay between sending with the -sec parameter:

.\Invoke-Transfer.ps1 -split .\SharpHound.exe -sec 2

Next, the tool will split the file into 120KB chunks and notify us when ready for transmission. Once we press the Enter key, we will have a few seconds to use the keyboard or mouse to select the position of the text to be copied. Now, the remaining work will be helped by Invoke-Transfer:

This technique will be suitable for most scenarios, although we encountered a problem: Apache Guacamole, during our testing.

In this special case, something completely different will happen. However, Apache Guacamole allows us to input text on the other end in three ways. At this point, we must press the Ctrl+Alt+Shift combination key to open a console where we can paste the text. Once copied, we can use it in the operating system in the usual way.

Manually executing this process many times can be a bit boring. Fortunately, Invoke-Transfer can automatically execute the entire process, just add the -guaca parameter to the previous command:

Finally, we just need to copy the script itself on the other end, reconstruct the original file using the text generated by the tool, and perform the following operation:

.\Invoke-Transfer.ps1 -merge .\SharpHound.txt -out .\SharpHound.exe

For the above process, we provide the following PSAsyncShell code snippet as a reference:

Once the screen capture is complete, we will execute the following command to read the file and convert it to a readable format so that we can use it freely:

.\Invoke-Transfer.ps1 -read .\ScreenShot.png -out .\ScreenShot.txt

License Agreement

The development and release of this project followGPL-3.0Open Source License Agreement.

Project Address

Invoke-Transfer：【GitHub Gateway】

Reference materials

https://darkbyte.net/transfiriendo-ficheros-en-entornos-restringidos-con-invoke-transfer